Thanks, Rowland. I'll give it some thought. At this point, I may even go back to slackware or gentoo. It is a bit much learning all the new system tools (systemd, systemctl, firewalld, NetworkManager, etc.) while moving from a samba standalone configuration to AD/DC, DNS, Kerberos, all for the first time. I'm also considering calling Pantek.com - - - I've had some very good experiences with them in the past. At any rate, thanks for your time today. Best regards, Mike On Wed, Apr 22, 2015 at 2:01 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 22/04/15 18:47, Mike wrote: > >> Somehow /var/run/samba got erased......I don't know how or why. >> Recreated /var/run/samba and now: >> smbclient -L localhost -U% >> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] >> >> Sharename Type Comment >> --------- ---- ------- >> netlogon Disk >> sysvol Disk >> IPC$ IPC IPC Service (Samba >> 4.1.17-SerNet-RedHat-11.el7) >> Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7] >> >> Server Comment >> --------- ------- >> >> Workgroup Master >> --------- ------- >> >> >> But same failure here: >> >> smbclient //localhost/netlogon -UAdministrator -c 'ls' >> Enter Administrator's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> [root at a10 run]# >> >> >> > As far as I can see you only testing at the moment, so can I suggest that > you switch OS to Debian wheezy and then use Louis's script to install your > DC, this should get you a DC that works as expected. > > See here for Louis's script: https://secure.bazuin.nl/scripts/ > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 22/04/15 19:40, Mike wrote:> Thanks, Rowland. > I'll give it some thought. > At this point, I may even go back to slackware or gentoo. > It is a bit much learning all the new system tools (systemd, > systemctl, firewalld, NetworkManager, etc.) while moving from a samba > standalone configuration to AD/DC, DNS, Kerberos, all for the first time.Debian wheezy does not come with the first two of those so called tools and you can safely remove the last from a wheezy DC, it is not needed. If you are used to using gentoo, then debian should be a breeze :-) Louis's script works, it just needs some info from you, if you do decide to go down this path and have any questions, you know where we are :-) Rowland> > I'm also considering calling Pantek.com - - - I've had some very good > experiences with them in the past. > > At any rate, thanks for your time today. > > Best regards, > > Mike > >
I wanted to follow up to the list in hopes it will help others with similar configuration. Per previous posts -- OS: CentOS 7.153 Samba: Version 4.1.17-SerNet-RedHat-11.el7 Samba provisioned to act as: AD DC following Samba Wiki: Samba AD DC HOWTO Samba Internal DNS daemon deployed. 1. Disable selinux. Unless you have a solid understanding of how to configure it for your environment, please turn it off. It is defaulted ON/Engaged in CentOS 7. If you don't understand how selinux filters calls to/from the linux kernel, you may be chasing ghosts in relation to your Samba 4.x.y AD DC. For clarification, my sysadmin and security skills are not expert level. 2. The following information may have lurked under my nose, but I did not find mention of it: There is a configuration file /etc/default/sernet-samba which requires one small edit for samba to function. The setting is defaulted to NONE, but it needs to be set to "ad". # SAMBA_START_MODE defines how Samba should be started. Valid options are one of # "none" to not enable it at all, # "classic" to use the classic smbd/nmbd/winbind daemons # "ad" to use the Active Directory server (which starts the smbd on its own) # (Be aware that you also need to enable the services/init scripts that # automatically start up the desired daemons.) SAMBA_START_MODE="ad" #SAMBA_START_MODE="none" 3. Upon initial provisioning Samba objects when the machine name (netbios name?) and the domain/workgroup name are the same so I changed the machine name to make them different. It appears necessary to edit the /etc/hosts file and include both of them in the hosts file: 10.10.10.100 mymachine.example.com mymachine 10.10.10.100 mydomain.example.com mydomain 4. Gotta deal with firewalld. Either uninstall it and use the iptables commands you've fought to finally understand over the years; or, use firewalld and zones, etc. Open all those scary ports to make sure all the complex AD DC components work: firewall-cmd --permanent --add-service=samba firewall-cmd --permanent --add-port=53/tcp firewall-cmd --permanent --add-port=53/udp firewall-cmd --permanent --add-port=88/tcp firewall-cmd --permanent --add-port=88/udp firewall-cmd --permanent --add-port=135/tcp firewall-cmd --permanent --add-port=137/tcp firewall-cmd --permanent --add-port=137/udp firewall-cmd --permanent --add-port=138/udp firewall-cmd --permanent --add-port=139/tcp firewall-cmd --permanent --add-port=389/tcp firewall-cmd --permanent --add-port=389/udp firewall-cmd --permanent --add-port=445/tcp firewall-cmd --permanent --add-port=464/tcp firewall-cmd --permanent --add-port=464/udp firewall-cmd --permanent --add-port=636/tcp firewall-cmd --permanent --add-port=1024-5000/tcp firewall-cmd --permanent --add-port=1024-5000/udp firewall-cmd --permanent --add-port=3268/tcp firewall-cmd --permanent --add-port=3269/tcp firewall-cmd --permanent --add-port=5353/tcp firewall-cmd --permanent --add-port=5353/udp firewall-cmd --reload 5. So far, the following works: smbclient -L localhost -U% smbclient //mydomain.example.com/netlogon -U Administrator>From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to theSamba4 AD DC box by entering \\10.10.10.100 in the address bar. I can also provide UserID: Administrator and Password: PaSsW8*rD and see netlogon, sysvol, and all demo directory shares I created. I can also read/write to all of them - - - - I was surprised this was possible without actually joining the domain via (from windows): Control Panel ---> System and Security ---> System ---> Change Settings. It's possible I was able to read/write to the demo shares because they were previously set -- chmod -R 0777 /demo/share/directory. I still need to understand samba-tool user creation, settings, and options, as I cannot yet figure out how to connect to the AD DC box via RSAT Server Manager app. 6. Testing DNS -- The suggested tests in the AD DC HOWTO produce errors but the samba log seems to indicate DNS is okay: [2015/04/28 17:29:48.986108, 3] ../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names) Calling DNS name update script [2015/04/28 17:29:48.989054, 3] ../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names) Calling SPN name update script [2015/04/28 17:29:49.505209, 3] ../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done) Completed SPN update check OK [2015/04/28 17:29:49.576183, 3] ../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done) Completed DNS update check OK 7. Kerberos -- I don't believe this is working yet and will need to RTFM to figure out how to chase it down. [root at a10 etc]# ls -alh krb5.conf lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf -> /var/lib/samba/private/krb5.conf [root at a10 etc]# klist klist: Credentials cache file '/tmp/krb5cc_0' not found [root at a10 etc]# [root at a10 etc]# kinit administrator at MYDOMAIN.EXAMPLE.COM kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting initial credentials [root at a10 etc]#
L.P.H. van Belle
2015-Apr-29 07:04 UTC
[Samba] Cannot authenticate the administrator account
Hai Mike,>It appears necessary to edit the /etc/hosts file and include >both of them >in the hosts file: > >10.10.10.100 mymachine.example.com mymachine >10.10.10.100 mydomain.example.com mydomainremove the domain line here in hosts. if you run : hostname -s ( name ) hostname -f ( name.domain.tld ) hostname -d ( domain.tld ) if one of these is incorrect, then yes, your setup wil fail. make sure your resolv.conf is correct. like to start with: search domain.tld nameserver yourDC_1 if hostname -d stil fails, add above the search line: domain domain.tld now copy the krb5 file and dont symlink it. mv /etc/krb5.conf /etc/krb5.conf.old cp /var/lib/samba/private/krb5.conf /etc/krb5.conf now try to kinit again. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: 1100100 at gmail.com [mailto:samba-bounces at lists.samba.org] >Namens Mike >Verzonden: dinsdag 28 april 2015 23:42 >CC: samba >Onderwerp: Re: [Samba] Cannot authenticate the administrator account > >I wanted to follow up to the list in hopes it will help others >with similar >configuration. >Per previous posts -- >OS: CentOS 7.153 >Samba: Version 4.1.17-SerNet-RedHat-11.el7 >Samba provisioned to act as: AD DC following Samba Wiki: >Samba AD DC HOWTO >Samba Internal DNS daemon deployed. > >1. Disable selinux. Unless you have a solid understanding of how to >configure it for your environment, please turn it off. It is defaulted >ON/Engaged in CentOS 7. If you don't understand how selinux >filters calls >to/from the linux kernel, you may be chasing ghosts in relation to your >Samba 4.x.y AD DC. For clarification, my sysadmin and >security skills are >not expert level. > >2. The following information may have lurked under my nose, >but I did not >find mention of it: There is a configuration file >/etc/default/sernet-samba which requires one small edit for samba to >function. >The setting is defaulted to NONE, but it needs to be set to "ad". > ># SAMBA_START_MODE defines how Samba should be started. Valid >options are >one of ># "none" to not enable it at all, ># "classic" to use the classic smbd/nmbd/winbind daemons ># "ad" to use the Active Directory server (which starts >the smbd on >its own) ># (Be aware that you also need to enable the services/init scripts that ># automatically start up the desired daemons.) >SAMBA_START_MODE="ad" >#SAMBA_START_MODE="none" > >3. Upon initial provisioning Samba objects when the machine >name (netbios >name?) and the domain/workgroup name are the same so I changed >the machine >name to make them different. >It appears necessary to edit the /etc/hosts file and include >both of them >in the hosts file: > >10.10.10.100 mymachine.example.com mymachine >10.10.10.100 mydomain.example.com mydomain > >4. Gotta deal with firewalld. Either uninstall it and use >the iptables >commands you've fought to finally understand over the years; or, use >firewalld and zones, etc. >Open all those scary ports to make sure all the complex AD DC >components >work: > >firewall-cmd --permanent --add-service=samba >firewall-cmd --permanent --add-port=53/tcp >firewall-cmd --permanent --add-port=53/udp >firewall-cmd --permanent --add-port=88/tcp >firewall-cmd --permanent --add-port=88/udp >firewall-cmd --permanent --add-port=135/tcp >firewall-cmd --permanent --add-port=137/tcp >firewall-cmd --permanent --add-port=137/udp >firewall-cmd --permanent --add-port=138/udp >firewall-cmd --permanent --add-port=139/tcp >firewall-cmd --permanent --add-port=389/tcp >firewall-cmd --permanent --add-port=389/udp >firewall-cmd --permanent --add-port=445/tcp >firewall-cmd --permanent --add-port=464/tcp >firewall-cmd --permanent --add-port=464/udp >firewall-cmd --permanent --add-port=636/tcp >firewall-cmd --permanent --add-port=1024-5000/tcp >firewall-cmd --permanent --add-port=1024-5000/udp >firewall-cmd --permanent --add-port=3268/tcp >firewall-cmd --permanent --add-port=3269/tcp >firewall-cmd --permanent --add-port=5353/tcp >firewall-cmd --permanent --add-port=5353/udp >firewall-cmd --reload > > >5. So far, the following works: > >smbclient -L localhost -U% >smbclient //mydomain.example.com/netlogon -U Administrator > >From Win 7 Pro or 8.1 Pro client, I can point Windows Explorer to the >Samba4 AD DC box by entering \\10.10.10.100 in the address bar. >I can also provide UserID: Administrator and Password: >PaSsW8*rD and see >netlogon, sysvol, and all demo directory shares I created. >I can also read/write to all of them - - - - I was surprised this was >possible without actually joining the domain via (from >windows): Control >Panel ---> System and Security ---> System ---> Change Settings. >It's possible I was able to read/write to the demo shares >because they were >previously set -- chmod -R 0777 /demo/share/directory. > >I still need to understand samba-tool user creation, settings, >and options, >as I cannot yet figure out how to connect to the AD DC box via >RSAT Server >Manager app. > >6. Testing DNS -- >The suggested tests in the AD DC HOWTO produce errors but the samba log >seems to indicate DNS is okay: > >[2015/04/28 17:29:48.986108, 3] >../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names) > Calling DNS name update script >[2015/04/28 17:29:48.989054, 3] >../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names) > Calling SPN name update script >[2015/04/28 17:29:49.505209, 3] >../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done) > Completed SPN update check OK >[2015/04/28 17:29:49.576183, 3] >../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done) > Completed DNS update check OK > >7. Kerberos -- >I don't believe this is working yet and will need to RTFM to >figure out how >to chase it down. >[root at a10 etc]# ls -alh krb5.conf >lrwxrwxrwx. 1 root root 32 Apr 21 10:31 krb5.conf -> >/var/lib/samba/private/krb5.conf >[root at a10 etc]# klist >klist: Credentials cache file '/tmp/krb5cc_0' not found >[root at a10 etc]# >[root at a10 etc]# kinit administrator at MYDOMAIN.EXAMPLE.COM >kinit: Cannot find KDC for realm "MYDOMAIN.EXAMPLE.COM" while getting >initial credentials >[root at a10 etc]# >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >